From 17013766cb82c192b53d3c108ddbdc341b2324a7 Mon Sep 17 00:00:00 2001
From: Circle TechOps Repo Updater <circle-ops-repo-updater@circle.com>
Date: Tue, 9 Dec 2025 23:12:12 +0000
Subject: [PATCH] chore(stepsecurity): update workflows to use custom hosted
 runners with built-in StepSecurity

---
 .github/workflows/ci.yml          | 10 +---------
 .github/workflows/npm-publish.yml | 10 +---------
 .github/workflows/release.yml     | 10 +---------
 3 files changed, 3 insertions(+), 27 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d55ed31..92347e8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,17 +4,9 @@ on:
 jobs:
   lint-and-test:
     name: "Lint and Test"
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
+    runs-on: github-hosted-small
 
     steps:
-      - name: Harden the runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
-        with:
-          egress-policy: block
-          policy: global-allowed-endpoints-policy
-
       - name: Check out repository code
         uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
 
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index 50cfcb9..4aa7a04 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -10,17 +10,9 @@ permissions:
 
 jobs:
   publish-npm:
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
+    runs-on: github-hosted-small
 
     steps:
-      - name: Harden the runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
-        with:
-          egress-policy: block
-          policy: global-allowed-endpoints-policy
-
       - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
       - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 713b677..e771790 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,20 +5,12 @@ on:
 name: release-please
 jobs:
   release-please:
-    runs-on: ubuntu-latest
+    runs-on: github-hosted-small
     outputs:
       did-create-release: ${{ steps.release.outputs.release_created }}
       release-tag: ${{ steps.release.outputs.tag_name }}
-    permissions:
-      id-token: write
 
     steps:
-      - name: Harden the runner
-        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
-        with:
-          egress-policy: block
-          policy: global-allowed-endpoints-policy
-
       - uses: google-github-actions/release-please-action@db8f2c60ee802b3748b512940dde88eabd7b7e01 # v3.7.13
         id: release
         with: